In the last 6 months, several US governmental institutions (including the FDA and the Department of Homeland Security) have warned about the risks of malicious attacks on medical devices, which could lead to theft of information or, worse, remote control of their actual function. The nightmare scenario is one where lifesaving devices are turned into instruments of death by hackers exploiting security vulnerabilities. Scientists at the University of Washington recently demonstrated how a remote surgical tool could be hacked and controlled — an alarming reminder of the need for vigilance.

The Building Code for Medical Device Software Security is intended as a starting point set of guidelines for medical device software developers, focused mainly on the software implementation phase for now. Medical device manufacturers will likely be interested in the draft Code and its evolution.

In Canada, Health Canada is responsible for the regulation of medical devices and has not issued any specific statements or guidance on cybersecurity in medical devices. Health Canada’s equivalent in the US, the FDA, last year issued a set of Guidelines governing the cybersecurity of medical devices. While not binding, the Guidelines draw on international information security standards, and are aimed at assisting manufacturers of medical devices in the development and design of such devices and in preparing premarket submissions.